CVE-2022-23218: 
NixOS vulnerability analysis and mitigation

The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow. This vulnerability was discovered and disclosed in January 2022, affecting all versions of glibc up to and including 2.34 (NVD, Debian Advisory).

The vulnerability exists in the svcunixcreate function within the sunrpc's svcunix.c module. The function copies the path argument onto the stack without performing any length validation, leading to a potential stack-based buffer overflow. The CVSS v3.1 base score is 9.8 (CRITICAL) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, Sourceware Bug).

If successfully exploited, this vulnerability could result in a denial of service condition. Furthermore, if an application is not built with stack protector enabled, it could potentially lead to arbitrary code execution. The vulnerability affects systems where the deprecated compatibility function svcunix_create is in use (NVD, Debian Advisory).

The vulnerability was fixed in glibc version 2.35. Users are strongly recommended to upgrade to this or later versions. For systems that cannot be immediately upgraded, enabling stack protector during compilation can help mitigate the risk of arbitrary code execution, though it won't prevent denial of service conditions (Sourceware Bug, Gentoo Advisory).